Senate approves PM setting up National Data Protection Authority

On May 29th, 2019, the Provisory Measure (PM) 869/18, which modifies the General Law for the Protection of Personal Data (LGPD, in Portuguese) and recreates the National Data Protection Authority (NDPA), was approved by the Senate in the form of the Conversion Bill no. 07/2019, and now awaits the sanction of the Presidency of the Republic, which is expected to happen soon. The PM seeks to give more protection to personal data and establish exceptions under which the Public Authorities can report the data to private companies, maintaining the need for the National Authority to be informed about this transfer of data.

 Thus, the NDPA has as its attributions, firstly, to ensure the protection of personal data, to issue rules and proceedings regarding personal data and to issue administrative-level understandings on the interpretation of the LGPD, its attributions and cases of omission, as well as others assignments.

 Additionally, as a rule, the transfer of data from the databases of Public Authorities to private entities is prohibited. However, the final text of the PM provides for two exceptions: (i) when there is a legal provision or the transfer is backed by contracts, agreements or similar instruments; and (ii) in the event that this measure has the sole purpose of preventing fraud and irregularities or protect the security and integrity of the data subject, provided that treatment is prohibited for other purposes.

 Amongst other modifications, the MP 869/18 has also brought changes regarding the usage of sensitive data. In that sense, administrators of private healthcare plans and health insurance are prohibited from effecting the treatment of sensitive data for practices of evaluating risks in the contracting process of any health plan modalities, as well as for the exclusion of beneficiaries.

 Finally, the regulation will define in which cases there should be a review by natural person and not by computational algorithms, taking into consideration the nature and size of the management entity or the volume of data processing operations.

SAEKI ADVOGADOS remains available to provide guidance in the necessary measures for complying with the dispositions of the GDPL and to clarify any questions that may arise.